tl;dr The cinder deliverables repos look OK. Thanks to jungleboyj and smcginnis for help in looking them over.
As you may have heard, there was a Gerrit breach in the 1 October to yesterday time frame. Here's a link to the analysis of the breach:
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
The infra team has cleared all Gerrit HTTP passwords and removed any ssh keys that were added after the breach.
If you are super-paranoid, feel free to look over the commits to any of the cinder deliverables during the time frame of the breach. You can find them here:
https://static.opendev.org/project/opendev.org/gerrit-diffs/
Like I said, some of us have looked them over and not noticed anything suspect. What you'd be looking for is that an approval you've made or your +2 vote on an approved patch may have been put there by someone other than you. So if you see your +2 or +W on a patch that you have no memory of actually looking at, that would be considered suspicious activity. (On many levels.) If you notice such a situation, please notify us immediately.
cheers, brian